CVE-2025-23187
📋 TL;DR
This vulnerability allows unauthenticated attackers to generate technical metadata in SAP systems via an RFC-enabled function module in transaction SDCCN. It affects SAP systems with the vulnerable function module exposed. The impact is limited to integrity with no confidentiality or availability consequences.
💻 Affected Systems
- SAP NetWeaver
- SAP S/4HANA
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could generate misleading technical metadata that might disrupt system documentation or reporting processes.
Likely Case
Minimal operational impact - attackers could create unnecessary metadata entries but cannot access sensitive data or disrupt services.
If Mitigated
With proper network segmentation and RFC interface restrictions, the vulnerability becomes effectively non-exploitable.
🎯 Exploit Status
Direct exploitation requires network access to the vulnerable RFC interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: As specified in SAP Note 3546470
Vendor Advisory: https://me.sap.com/notes/3546470
Restart Required: Yes
Instructions:
1. Apply SAP Security Note 3546470
2. Restart affected SAP instances
3. Verify the patch is active
🔧 Temporary Workarounds
Restrict RFC Access
allLimit network access to RFC interfaces using firewall rules
Configure firewall to restrict access to RFC ports (typically 33xx, 48xx)
Disable Unnecessary RFC Functions
allDeactivate the vulnerable function module if not required
Use transaction SE37 to check and deactivate function module if possible
🧯 If You Can't Patch
- Implement strict network segmentation to isolate SAP systems from untrusted networks
- Monitor RFC interface access logs for unauthorized connection attempts
🔍 How to Verify
Check if Vulnerable:
Check if SAP Note 3546470 is missing in your system using transaction SNOTECheck Version:
Execute 'sm51' to check SAP kernel version and patch levelVerify Fix Applied:
Verify SAP Note 3546470 is implemented and active in transaction SNOTE📡 Detection & Monitoring
Log Indicators:
- Unauthorized RFC calls to SDCCN-related function modules
- Unexpected metadata generation events
Network Indicators:
- Unusual traffic to RFC ports from unauthorized sources
SIEM Query:
source="SAP" AND (event="RFC_CALL" OR transaction="SDCCN") AND user="*" AND result="SUCCESS"